WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
Summary:
WatchGuard has issued a critical security advisory regarding CVE-2025-14733 (CVSS 9.3), an out-of-bounds write vulnerability in the Fireware OS iked process that allows remote, unauthenticated attackers to execute arbitrary code. The flaw specifically impacts Firebox devices configured with mobile user VPNs or Branch Office VPNs (BOVPN) using IKEv2 with dynamic gateway peers; notably, even if these configurations were previously deleted, a device may remain vulnerable if a BOVPN to a static gateway peer is still active. WatchGuard has confirmed active exploitation in the wild and provided several indicators of compromise (IoCs), including log entries indicating peer certificate chains longer than eight, CERT payloads exceeding 2000 bytes, and instances of the iked process hanging or crashing. At least one IP address involved in these attacks (199.247.7[.]82) has been previously linked to the exploitation of recent critical vulnerabilities in Fortinet infrastructure (CVE-2025-59718 and CVE-2025-59719). Security teams are urged to apply the latest firmware updates immediately or follow interim mitigations, such as disabling dynamic peer BOVPNs and implementing strict IP-based firewall aliases for static VPN peers.
Security Officer Comments:
The exploitation of CVE-2025-14733 underscores a persistent targeting of edge networking infrastructure by sophisticated actors who are increasingly pivoting across vendor ecosystems, as evidenced by the infrastructure overlap between WatchGuard and Fortinet attacks. Beyond vulnerability exploitation, the threat landscape for VPN gateways is being further complicated by massive, automated credential-based campaigns. Recent telemetry from GreyNoise highlights this trend, revealing a coordinated surge in mid-December targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect endpoints. These attacks, originating largely from 3xK GmbH hosting provider infrastructure, utilized scripted password spraying and credential stuffing rather than software exploits to inventory and compromise exposed portals. Collectively, these developments indicate that enterprise VPNs are currently facing a "pincer" threat model: targeted exploitation of critical zero-day vulnerabilities like those in WatchGuard and Fortinet, alongside industrial-scale automated login attempts intended to bypass authentication via credential reuse. Organizations affected should prioritize rapid patching. These events emphasize that simplistic best practices like the enforcement of MFA will serve well to mitigate these developing risks.
Suggested Corrections:
As temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company has urged administrators to disable dynamic peer BOVPNs, create an alias that includes the static IP addresses of remote BOVPN peers, add new firewall policies that allow access from the alias, and disable the default built-in policies that handle VPN traffic.
https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
WatchGuard has issued a critical security advisory regarding CVE-2025-14733 (CVSS 9.3), an out-of-bounds write vulnerability in the Fireware OS iked process that allows remote, unauthenticated attackers to execute arbitrary code. The flaw specifically impacts Firebox devices configured with mobile user VPNs or Branch Office VPNs (BOVPN) using IKEv2 with dynamic gateway peers; notably, even if these configurations were previously deleted, a device may remain vulnerable if a BOVPN to a static gateway peer is still active. WatchGuard has confirmed active exploitation in the wild and provided several indicators of compromise (IoCs), including log entries indicating peer certificate chains longer than eight, CERT payloads exceeding 2000 bytes, and instances of the iked process hanging or crashing. At least one IP address involved in these attacks (199.247.7[.]82) has been previously linked to the exploitation of recent critical vulnerabilities in Fortinet infrastructure (CVE-2025-59718 and CVE-2025-59719). Security teams are urged to apply the latest firmware updates immediately or follow interim mitigations, such as disabling dynamic peer BOVPNs and implementing strict IP-based firewall aliases for static VPN peers.
Security Officer Comments:
The exploitation of CVE-2025-14733 underscores a persistent targeting of edge networking infrastructure by sophisticated actors who are increasingly pivoting across vendor ecosystems, as evidenced by the infrastructure overlap between WatchGuard and Fortinet attacks. Beyond vulnerability exploitation, the threat landscape for VPN gateways is being further complicated by massive, automated credential-based campaigns. Recent telemetry from GreyNoise highlights this trend, revealing a coordinated surge in mid-December targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect endpoints. These attacks, originating largely from 3xK GmbH hosting provider infrastructure, utilized scripted password spraying and credential stuffing rather than software exploits to inventory and compromise exposed portals. Collectively, these developments indicate that enterprise VPNs are currently facing a "pincer" threat model: targeted exploitation of critical zero-day vulnerabilities like those in WatchGuard and Fortinet, alongside industrial-scale automated login attempts intended to bypass authentication via credential reuse. Organizations affected should prioritize rapid patching. These events emphasize that simplistic best practices like the enforcement of MFA will serve well to mitigate these developing risks.
Suggested Corrections:
As temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company has urged administrators to disable dynamic peer BOVPNs, create an alias that includes the static IP addresses of remote BOVPN peers, add new firewall policies that allow access from the alias, and disable the default built-in policies that handle VPN traffic.
- Password/MFA Hygiene: Ensure all systems are protected with strong passwords and multi-factor authentication (MFA).
- Regular Edge Device Audits: Consistently audit Cisco and Palo Alto Networks appliances to assess whether or not login attempts are expected, or require escalation.
- Rotate all locally stored secrets on vulnerable Firebox appliances
- Install the latest Fireware OS that contains the fix
- 45.95.19[.]50
- 51.15.17[.]89
- 172.93.107[.]67
- 199.247.7[.]82
https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027